Ensure unattached disks are encrypted

Error: Unattached disks are not encrypted

Bridgecrew Policy ID: BC_AZR_GENERAL_34
Checkov Check ID: CKV2_AZURE_14
Severity: LOW

Unattached disks are not encrypted

Description

Encrypting your disks protect your data from unauthorized access or tampering. That way, you can ensure that only authorized users can access and modify the contents of your disks. Such action can help protect against external threats such as hackers or malware, as well as internal threats such as accidental or unauthorized access.

Fix - Buildtime

Terraform

  • Resource: azurerm_resource_group, azurerm_managed_disk, azurerm_virtual_machine
  • Argument: encryption_settings.encrypted
resource "azurerm_resource_group" "group" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_managed_disk" "managed_disk_good_1" {
  name                 = "acctestmd"
  location             = "West US 2"
  resource_group_name  = azurerm_resource_group.group.name
  storage_account_type = "Standard_LRS"
  create_option        = "Empty"
  disk_size_gb         = "1"

+ encryption_settings {
+   enabled = true
  }
  tags = {
    environment = "staging"
  }
}



resource "azurerm_virtual_machine" "virtual_machine_good_1" {
  name                  = "$vm"
  location              = "location"
  resource_group_name  = azurerm_resource_group.group.name
  network_interface_ids = ["id"]
  vm_size               = "Standard_DS1_v2"
  storage_image_reference {
    publisher = "Canonical"
    offer     = "UbuntuServer"
    sku       = "16.04-LTS"
    version   = "latest"
  }
  storage_os_disk {
    name              = "myosdisk1"
    caching           = "ReadWrite"
    create_option     = "FromImage"
    managed_disk_id = azurerm_managed_disk.managed_disk_good_1.id
  }
}